Category Archives: Phishing

MacEwan University loses $11.8 million to scammers in phishing attack

Via: edmontonjournal.com

Low-level MacEwan University staffers were tricked into transferring $11.8 million into scammers’ bank accounts in what one expert said is among the largest publicly disclosed phishing scams.

The majority of the money, $11.4 million, has been traced to bank accounts in Montreal and Hong Kong.

“We are fairly confident that we will be able to recover those funds, the $11.4 million,” MacEwan spokesman David Beharry said Thursday. “It’s a question of how long will it take for the university to retrieve that money.”

He said $6.3 million has been seized from the account in Montreal, and actions are underway to freeze the two accounts in Hong Kong.

The $11.8 million loss represents about one-10th of what MacEwan receives as an annual operating grant from the government of Alberta. In the 2015-16 financial year, the university received $118 million from the province out of its $237.1-million budget.

“I think it’s safe to say that there was a lot of disappointment and frustration because this came down to human error,” Beharry said.

The fraud was discovered Aug. 23 after a supplier said it had not been paid. Beharry would not identify the supplier.

Fraudsters had created a website that resembled the domain site of one of the university’s major supplier. Using that site, the fraudsters impersonated the supplier, asking the university to transfer accounts payable to a new bank account the fraudsters controlled.

Three MacEwan staffers made three payments to the bogus account over a nine-day period ending Aug. 19. The university paid out $1.9 million, $22,000, and finally $9.9 million.

Beharry would not say if the staffers have been disciplined or fired.

“The university does not believe there has been any sort of collusion,” he said. “We really believe this is simply a case of human error.”

The university is working with lawyers in Montreal, London and Hong Kong on civil action to recover the money. The status of the remaining $400,000 is not known.

MacEwan conducted an audit of its business processes after discovering the fraud and put controls in place “to prevent further incidents.” An internal audit group will also investigate the incident.

An early assessment determined that “controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed.”

David Shipley, CEO of Beauceron Security and former cyber-security lead at the University of New Brunswick, said MacEwan was likely the victim of what’s known as a business email compromise scam.

“It’s the single largest publicly disclosed amount I’ve seen,” he said. “That’s not to say there aren’t private companies that aren’t required to disclose this stuff that haven’t had (larger) losses.”

MacEwan spokesman David Beharry says “the university does not believe there has been any sort of collusion.”

Shipley said Facebook and Google fell victim to similar scams, transferring “in the $100-million range” after being invoiced by fake suppliers.

“This is the intersection of people, process and technology,” he said. “People in that they got tricked, process in that being able to transfer that amount of money should have required additional financial controls. Technology played the smallest role — as in why didn’t their email filter it or alert them that (the sender) wasn’t who it said it was.”

Beharry said the university has funds to pay the supplier. The loss would not impact students, he said.

In a statement, Advanced Education Minister Marlin Schmidt said he is “disappointed” the university fell victim to the scam and has instructed all post-secondary institutions to review their financial controls.

“I expect post-secondary institutions to do better to protect public dollars against fraud,” Schmidt said.

Source: http://edmontonjournal.com/news/local-news/11-8-million-transferred-from-macewan-university-accounts-in-phishing-attack

Alert: New DHL Phishing Emails Targeting Fordham Community

Please be advised that there are suspicious emails circulating that are targeting members of the Fordham Community. The email contains what appear to be images of package slips. However, the images redirect you to a malicious phishing site.

These are not legitimate emails and should be reported immediately.
Please remain diligent and avoid giving any personally identifiable information through email. Pay attention to the sender of the email and if something appears suspicious, contact the sender directly to verify the messages legitimacy. DO NOT respond via email. If direct contact with the sender is not possible, please contact ITCC for assistance.

The content of the email is as follows:

———- Start of Message ———-
From: DHL Service <baqader1407@gmail.com>
Date: Tue, Jun 27, 2017 at 9:50 AM
Subject: DHL delivery details ……
To:

Dear  Customer ,

Please find attached DHL AWB , pls printed and given to courier upon arrival .
Thanks

Best regards

DHL Expess Team

DHL receipt.pdf
—————End of Message—————-

 

Please remember that Fordham IT will NEVER ask you for your username and password or ask you to click any links to validate or verify your account or password. If you receive questionable or suspicious communications, contact IT Customer Care and allow the University Information Security Office (UISO) to validate the legitimacy of these communication attempts.

Article: Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

A phishing attack is when an attacker sends you an email that contains a link to a malicious website. You click on the link because it appears to be trusted. Merely visiting the website may infect your computer or you may be tricked into signing into the malicious site with credentials from a site you trust. The attacker then has access to your username, password and any other sensitive information they can trick you into providing.

This variant of a phishing attack uses unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers.

As you can see both of these domains appear identical in the browser but they are completely different websites. One of them was registered by us, today. Our epic.com domain is actually the domain https://xn--e1awd7f.com/ but it appears in Chrome and Firefox as epic.com.

The real epic.com is a healthcare website. Using our unicode domain, we could clone the real epic.com website, then start emailing people and try to get them to sign into our fake healthcare website which would hand over their login credentials to us. We may then have full access to their healthcare records or other sensitive data.

We even managed to get an SSL certificate for our demonstration attack domain from LetsEncrypt. Getting the SSL certificate took us 5 minutes and it was free. By doing this we received the word ‘Secure’ next to our domain in Chrome and the little green lock symbol in Firefox.

How to fix this in Firefox:

In your firefox location bar, type ‘about:config’ without quotes.
Do a search for ‘punycode’ without quotes.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.
Now if you try to visit our demonstration site you should see:

Can I fix this if I use Chrome?

Currently we are not aware of a manual fix in Chrome for this. Chrome have already released a fix in their ‘Canary’ release, which is their test release. This should be released to the general public within the next few days.

Until then, if you are unsure if you are on a real site and are about to enter sensitive information, you can copy the URL in the location bar and paste it into Notepad or TextEdit on Mac. It should appear as the https://xn--….. version if it is a fake domain. Otherwise it will appear as the real domain in its unencoded form if it is the real thing.

Source: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

Re: Appointment As UNICEF Ambassador-Sent to the Fordham Community Around March 23, 2017

This is a Phishing email that has been reported. This message was
received on or about March 23, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

UNITED NATIONS
Ambassador Registration Department,
Ambassador Ms Susan Namondo Ngongi
UNICEF (UN) Representative
P O BOX 4325
Accra, Ghana.
 
 
UNICEF GHANA 
4-8th Rangoon Close
P. O. Box AN 5051
Cantonment
Accra, Ghana.

Attn: Ambassador Select,


                                                Re: Appointment As UNICEF Ambassador.


 
  Greetings to you. Am Ms. Susan Namondo Ngongi the current UNICEF Representative in Ghana. On the behalf of the United Nations Children Fund(UNICEF) and the Federal Republic of Ghana, I wish to inform you that your name was in the Vetted list of candidate that World Health Organization (WHO) submitted for Appointment as the UNICEF New National/Regional Ambassador. Am very happy to inform you that you are among ten (10) selected by the new secretary general of United Nations Hon. António Guterres. The Executive Director of UNICEF Sir Anthony Lake, has given his acknowledgement on your  appointment as UNICEF National and Regional Ambassador as Field coordinator In Ghana, and the current new president of Ghana Nana Akfo-Addo has also given his consent to your appointment, among his agent for Ghana is to provide humanitarian and developmental assistance to children and mothers in the country. Due to the increase of natural disaster and man-made crises around the globe, which has rendered most people homeless, there is an increase of lack of food, good water, education, shelter, and medication, which call for immediate attention. The need of humanitarian service has double more than ever; there is a high need of humanitarian officer that is why we do need you to care for some responsibility in refugee camps in Asia/Africa.
 
Benefits and Entitlements.
 
Ambassador’s benefit from family friendly, work-life, and diversity policies, and UNICEF is committed to maintaining a balanced gender and geographical representation. Other Benefits and entitlements include:
 
• Annual leave
• Dependency allowance
• Medical and dental insurance
• Pension scheme
• Rental subsidy
• Education grant
• Home leave
• Life insurance
• Paid sick leave
• Family leave
• Family Visit
• Maternity / Paternity adoption leave
• Special leave
 
Job Description.
 
Your responsibility as Field coordinator will be to care for the following.
 
    An administrative headquarters to coordinate services.
    Sleeping accommodations (frequently tents).
    Hygiene facilities (washing areas and latrines or toilets).
    Clinics, hospitals and immunization centers.
    Food distribution and therapeutic feeding centers.
    Communication equipment (e.g. radio).
    Security, including protection from banditry (e.g. barriers and security checkpoints).
    Peacekeeping troops to prevent armed violence.
    Places of worship.
    Schools and training centers (if permitted by the host country).
    Markets and shops (if permitted by the host country).
    Organizing workshop to educate children and women: given then education and preventive measure on health issues such as Aids, Cancer, Malaria, sickle cell anemia and typhoid fever
    Organizing a workshop to improve Talents in camps both children and women.
    Fund-Raising and Good communication.
 
The United Nations High Commissioner for Refugees (UNHCR) will provide all these facility mentions above. Is there any Benefit of accepting this position? Yes, there are a lot of benefit and allowance that wait for the New National/Regional  UNICEF Ambassador. Below is the line-up of your salary, your salary is a post adjustment salary. The post adjustment salary includes, a monthly base salary multiplier and takes into account cost-of-living factors and exchange rate fluctuation as well as inflation.
 
 
Salary of $55,000.00USD
Health allowances $4,543.00USD
Traveling allowance $6,321.00USD
 
Which is sum up to $65,864,00USD that you will be receiving monthly, besides you will be given a compensation of $50.000USD, also a good furnish 4 bedroom Apartment (optional if you wish to relocate to the place of duty) and a private SUV of your choice from the United Nations. In addition to this, you also have the mandatory right to claim any fund from any other financial institution or organization, being you the beneficiary or benefactor, without any form of disagreement or controversy. Moreover, you will be able to set up a refugee camp or Orphanage home in your own residential country with the UN Certificate of permit that will be the issue to you.
 
 Ambassador selects, so what then hold you back from completing your registration? Kindly get back to me with the complete filled forms, alongside with a size passport photograph of yourself and any means of your identification (your personal file and document are safe with us, we cherish the confidentiality of our Staff), kindly send them as soon as possible to complete your registration, which will only take 7 working days before all files and your official document to be ready before you resume office with all benefit, allowance, and compensation to be given to you. 
 
 
 
Best Regard,
Ambassador Ms Susan Namondo Ngongi
UNICEF Representative,
For Urgent Reply: susan-unicef@diplomats.com
Accra, Ghana.
    
                                                         ©2017 Unicef – All rights reserved
 
 
 
 
——————–End  Message ——————————

Eviction Notice #: Phishing Email Sent to the Fordham Community on 3/16/2017

This is a Phishing email that has been reported. This message was
received on or about March 16th, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————
From: <owsaxj@wireconsult.com>
Date: Thursday, March 16, 2017 at 6:44 PM
Subject: Eviction Notice # …..
To: user@fordham.edu

The eviction will take place on the date named in the enclosure unless you:

1. Leave the property and return control of the property to the landlord;
or
2. The occupant has the right to pay full amount ordered by the Court in the warrant of restitution to the landlord to stop the eviction process, unless the court checked the box on the Warrant of Restitution that says \”Without Right of Redemption\”.

The occupant has the right to pay the redemption amount to the landlord in cash or check at any time before actual execution of the eviction will take place.
On the day of eviction, the payment shall be made to the landlord or landlord’s agent in the
presence of the Executive Service in orderto stop the eviction order execution.


To download details, please get more information here:


Get Your Eviction Notice <LINK HERE>


WARNING:
• Once Executive Service begins the eviction, any personal property that you leave in the leased premises is considered abandoned. The occupant does NOT have any right to re-enter the property or re-claim any property after the eviction process.
• All property may be disposed of by the landlord at any time after the eviction process begins. The landlord is prohibited from putting the property in the street or alleys.
This is the final notice of the date of the eviction that you will receive, even if the eviction date is postponed by the sheriff.



The hotelkeeper should deliver the payer 14 bright careers heed. This stop that the hotelkeeper cannot conjecture the day the notice is served on the tenant, and the hotelkeeper cannot conjecture the day the payer stirs up agitate elsewhere. Example: A payer has been having behind celebration and displeasing unlisted tenants . The hotelkeeper has hardened the payer aggregate caveats to control the partying, on the contrary the payer has forgotten the landlord. The hotelkeeper agrees to deliver the payer a 14 day notice to cease the occupation for worthy breach . If the hotelkeeper hand over the payer the notice on July 5, so the notice is adequate on July 20. Why? July 5 doesn’t conjecture seeing that is the yr the notice is served. July 6-19 are the 14 bright days, and July 20 doesn’t conjecture seeing this is the day the payer should move elsewhere.

—————————–End Message —————

Fw: COPY OF DOCUMENTI – Phishing Email Sent to the Fordham Community on 2/7/2017

This is a Phishing email that has been reported. This message was
received on or about February 7, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

From: Regional Traffic Management Offi Cordillera Administrative Region <rtmocar_opn@yahoo.com>

Date: Tue, Feb 7, 2017 at 9:34 PM
Subject: Fw: COPY OF DOCUMENTI
To: user@Fordham.edu

FYI
*There is an attached PDF titled “Document.pdf”, an image of which can be seen below*

——————–End  Message ——————————

New Message Notification- Phishing Email Sent to the Fordham Community on 01/25/17

This is a Phishing email that has been reported. This message was
received on or about January 25th, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————
From: Fordham Support <fordhamsupport@comcast.net>
Date: Wed, Jan 25, 2017 at 2:10 PM
Subject: New Message Notification
To: user@fordham.edu

Your Fordham account Needs to be verified for security purpose.

Verify Now (Link contained within text)

Fordham University.

—————————–End Message —————

Phishing Email With Subject ‘Urgent’ Sent to the Fordham Community on 01/17/17

This is a Phishing email that has been reported. This message was
received on or about January 17th, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

From: user@fordham.edu
Date: Tue, Jan 17, 2017 at 8:29 AM
Subject: Urgent
To: user@fordham.edu

2017 FORDHAM email update program, click UPDATE (<–Link here) and fill the form correctly to update your email.

——————–End Message ——————————

Phishing Email With No Subject Sent to the Fordham Community on 01/16/17

This is a Phishing email that has been reported. This message was
received on or about January 16th, 2017. Please DO NOT respond to this
message or anything that looks like it. You may disregard and delete
this message. If you have any questions about the validity of this email
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————

From:Kelby Chrivia <kpchrivi@mtu.edu>
Date: Mon, Jan 16, 2017 at 11:54 AM
To: user@fordham.edu
Subject:

2017 FORDHAM email update program, click UPDATE (<–Link here) and fill the form correctly to update your email.

——————–End Message ——————————

ACG Website – Invitation to edit – Phishing Email Sent to the Fordham Community on 01/10/2017

These are Phishing emails that have been reported. These messages were
received on or about January 10th, 2017. Please DO NOT respond to these
messages or anything that look like it. You may disregard and delete
these messages. If you have any questions about the validity of these emails
please contact IT Customer Care at 718-817-3999 or via email:
helpit@fordham.edu.

——————–Begin Message ——————————
From: User <user@fordham.edu>
Date: Tue, Jan 10, 2017 at 11:39 AM
Subject: ACG Website – Invitation to edit
To: user@fordham.edu

User has invited you to edit the following document:

ACG Website

Link Here
Google Docs: Create and edit documents online.
Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
You have received this email because someone shared a document with you from Google Docs.
Logo for Google Docs

—————————–End Message —————